locked
Ports to be open. Special Scenario RRS feed

  • Question

  • I have a customer that will have located FIM and DC1 servers in Miami, though DC2 server and final users are located in Colombia.

    Final users will work with SSPR.

    I'd like to know if it's necessary to open ports between FIMsrv and DC2 in order to support SSPR, opening the ports referred in the link http://technet.microsoft.com/en-us/library/ee534892(WS.10).aspx.

    Any comment is very welcomed.

     

    Thanks.  

    Tuesday, August 9, 2011 1:07 AM

Answers

  • For SSPR to work, your end users clients need to be able to contact the FIM server. Contact to the DC in the local network is not enough. I guess it's not needed for the FIM server to be able to contact the local DC although if the DC replication is slow, the users might experience that their SSPR will take a while to work.
    /Frederik Leed
    Friday, August 12, 2011 7:55 PM

All replies

  • If FIM communicates only with DC1 then the document you linked to is correct.  If DC1 and DC2 are in the same domain then they'll need the usual ports open for AD replication, etc.

     


    CraigMartin – Edgile, Inc. – http://identitytrench.com
    Friday, August 12, 2011 4:57 PM
  • Thanks Craig, so this means to have the following ports opened between FIMsrv and DC2 srv:

    1. TCP/UDP 135 (RPC EPMapper)
    2. TCP/UDP 389 (LDAP, LDAP Ping)
    3. TCP 636 (LDAP over SSL)
    4. TCP 3268 (GC)
    5. TCP 3269 (GC SSL)
    6. TCP/UDP 53 (DNS)
    7. TCP/UDP 88 (Kerberos)
    8. TCP Dynamic (RPC)
    9. TCP/UDP 464 (Kerberos Change/Set Password)
    10. TCP 445 – (CIFS/ MICROSOFT-DS)

    Just remembering that final users are located at the same network that DC2. Actually, required ports between DC1 and DC2 are opened.

    Friday, August 12, 2011 6:10 PM
  • If FIM is talking to DC1,

    and

    If DC1 and DC2 are in the same domain

    then

    I don't think FIM needs to talk to DC2 at all, unless DC1 goes down and FIM does looking for another DC to talk to.

     


    CraigMartin – Edgile, Inc. – http://identitytrench.com
    Friday, August 12, 2011 6:11 PM
  • If the scenario was password syncrhonization, so would be necessary to open ports between FIMsrv and DC2?
    Friday, August 12, 2011 6:48 PM
  • For SSPR to work, your end users clients need to be able to contact the FIM server. Contact to the DC in the local network is not enough. I guess it's not needed for the FIM server to be able to contact the local DC although if the DC replication is slow, the users might experience that their SSPR will take a while to work.
    /Frederik Leed
    Friday, August 12, 2011 7:55 PM
  • Self Service Password Reset and Password Sync: One more thing to consider: When setting passwords FIM Sync contacts the PDCemulator no matter with which DC it normally communicates. Therefore is DC2 going to be the PDCemulator or is likely to become so? If so then you do need the ports opened as described in the technet article you referenced.

     

    Password Sync consideration (instructions on setting up PCNS): Assuming DC1 and DC2 are in the same domain, then if that domain is to be the source for passwords to be synchronized to other systems then you need to follow the instructions found here for what ports to open:

     

    Service Protocol Port

    RPC Endpoint mapper

    TCP

    135

    Dynamic RPC ports (PCNS)

    TCP

    5000 - 5100

    Dynamic RPC ports (management agent for Active Directory)

    TCP

    57500 - 57520


    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html
    Friday, August 12, 2011 10:05 PM
  • Thanks Fred and David,

    actually i don't have the whole information to know if the DC2 is PDC emulator. It it is, so ports between FIM and DC2 will need to be opened. If not, as my understanding, it's only required a great replication scheme between DC1 and DC2 to have a good SSPR performance, and not open ports between FIM and DC2. Am i ok?

    Saturday, August 13, 2011 4:41 PM